Security concern re: group message wrapping (invisible salamanders attack)

tris · October 11, 2025, 10:51am

Bringing Soatok’s Fediverse post here so it doesn’t get buried.

Soatok wrote:

Following up on a query from @tris this week:

The cryptography you’re using makes it possible for anyone to send messages to a group even if they cannot see message history.

core/src/e2ee.rs at 47b9bfc8bf807ad099d2211a59d6ba80290b0c95 · chatmail/core · GitHub

core/src/pgp.rs at 47b9bfc8bf807ad099d2211a59d6ba80290b0c95 · chatmail/core · GitHub

rpgp/src/composed/message/types.rs at ac6c0f8066c0db48270f5c9e41dd64d13b0813fe · rpgp/rpgp · GitHub

rpgp/src/packet/public_key_encrypted_session_key.rs at 500c52e2838d31ed0f4f67c616ae1540984c2fe4 · rpgp/rpgp · GitHub

rpgp/src/packet/key/public.rs at 500c52e2838d31ed0f4f67c616ae1540984c2fe4 · rpgp/rpgp · GitHub

A modern group key agreement protocol (MLS, etc.) avoids this behavior. I thought you should be made aware of it, if you weren’t otherwise.

The root cause for this behavior is that you’re wrapping a symmetric key to multiple public keys, naively.

In addition to the behavior @tris observed, this also lets you partition the recipients:

Imagine a group of Alice, Bob, Carol, and Dave.

Alice sends k_1 to {Bob, Carol}

Alice sends k_2 to {Dave}

Alice uses AES-GCM to encrypt the underlying message, and uses an exploit such as https://github.com/soatok/gcm-exploit to create a ciphertext that decrypts to two valid plaintexts

In this trivial setup, Alice can abuse Invisible Salamanders to sew disagreement among the other participants.

Read more: https://soatok.blog/2024/09/10/invisible-salamanders-are-not-what-you-think/

To mitigate this: I recommend adding an intermediary key derivation step like so:

Sort, then concatenate, the public keys of the recipients.

Derive the encryption key as follows: HKDF-SHA512(inputKey, “ENC_KEY_” + step1, null, 32) // ikm, label, salt, len (bytes)

Derive a key commitment as follows: HKDF-SHA512(inputKey, “COMMIT_” + step1, null, 32) // ikm, label, salt, len (bytes)

This will prevent the invisible salamanders issue (and binds the encryption key to the recipients’ public keys).

I would recommend also always require the ciphertext be signed by a public key that is a member of the group to be accepted, to prevent the sort of behavior that @tris observed.